ep's blog

Adobe Shockwave Player Multiple Remote Code Execution and Denial of Service Vulnerabilities


"Adobe Shockwave Player is prone to a multiple remote code-execution and
denial-of-service vulnerabilities.

Attackers can exploit these issues to execute arbitrary code in the
context of the currently logged-in user and to cause denial-of-service

Versions prior to Shockwave Player for Microsoft Windows and
Apple Mac OS X are vulnerable. "

Sun Java SE November 2009 Multiple Security Vulnerabilities


"Sun has released updates to address multiple security vulnerabilities
in Java SE.

Successful exploits may allow attackers to bypass certain security
restrictions, run untrusted applets with elevated privileges, execute
arbitrary code, and cause denial-of-service conditions. Other attacks
are also possible.

These issues are addressed in the following releases:

Multiple Intel Desktop Board Models Bitmap Processing Buffer Overflow Vulnerability


Vulnerable Intel Motherboards

Intel DQ45EK 0
Intel DQ45CB 0
Intel DQ35MP 0
Intel DQ35JO 0

"Multiple Intel Desktop Board models are prone to a buffer-overflow
vulnerability because they fail to properly bounds-check user-supplied data.

Successfully exploiting this issue will allow local attackers to run
arbitrary code with elevated privileges or trigger a denial-of-service

Linux Kernel 2.4 and 2.6 Local Information Disclosure Vulnerability


"The Linux kernel is prone to a local information-disclosure vulnerability.

Local attackers can exploit this issue to obtain sensitive information
that may lead to further attacks."

This affects kernels earlier than

Check with your vendor for an update and apply as soon as possible.

Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability


"Linux kernel is prone to a local privilege-escalation vulnerability
that is caused by a NULL-pointer dereference.

Local attackers can exploit this issue to execute arbitrary code with
kernel-level privileges. Successful exploits will result in the complete
compromise of affected computers. Failed exploit attempts will result in
a denial-of-service condition. "

This affects RHEL, SuSE, etc. Kernels before

BlackBerry Desktop Manager ActiveX Control Remote Code Execution Vulnerability


Versions of Research In Motion Blackberry Desktop Manager earlier than
5.0.1 are vulnerable to an ActiveX vulnerability that could lead to
remote arbitrary code execution.

Users should update their Desktop Manager application to the latest version.

Drupal LDAP Integration Cross Site Scripting and Authentication Bypass Vulnerabilities


"Drupal LDAP Integration is prone to a cross-site scripting
vulnerability and multiple authentication-bypass vulnerabilities.

Exploiting these issues could allow an attacker to steal cookie-based
authentication credentials, execute arbitrary code, and gain
unauthorized access to the affected application. "

This affects Drupal LDAP Integration 6.x-1.0-beta1, Drupal LDAP
Integration 5.x-1.4.

Pegasus Mail POP3 Response Remote Buffer Overflow Vulnerability


"Pegasus Mail is prone to a remote buffer-overflow vulnerability because
it fails to properly sanitize user-supplied input.

An attacker may exploit this issue to execute arbitrary code in the
context of the vulnerable application. Failed exploit attempts will
likely result in a denial-of-service condition.

Pegasus Mail 4.51 is vulnerable; other versions may also be affected."

Multiple vulnerabilities in Opera allow for remote code execution and URL obfuscation


"Specially crafted domain names can cause a memory corruption in Opera,
which may lead to a crash. Successful exploitation can lead to execution
of arbitrary code."

"Opera may allow scripts to run on the feed subscription page, thereby
gaining access to the feeds object. This can be used for automatic
subscription of feeds, or reading other feeds."

Drupal - SA-CONTRIB-2009-085 - Insert Node - Cross Site Scripting



The Insert Node module provides an input filter that enables a node to
be inserted within the body field of another node.

The module fails to sanitize the inserted node, making it vulnerable to
a cross site scripting (XSS) attack.
Versions affected

* Insert Node module versions for Drupal 5.x prior to Insert Node